Bug 506996 - (CVE-2009-1888) CVE-2009-1888 Samba improper file access
CVE-2009-1888 Samba improper file access
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 526658 526659 526660 526661 526663
  Show dependency treegraph
Reported: 2009-06-19 13:55 EDT by Josh Bressers
Modified: 2009-11-19 10:01 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-11-19 10:01:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1529 normal SHIPPED_LIVE Moderate: samba security update 2009-10-27 13:11:52 EDT
Red Hat Product Errata RHSA-2009:1585 normal SHIPPED_LIVE Moderate: samba3x security and bug fix update 2009-11-16 10:39:53 EST

  None (edit)
Description Josh Bressers 2009-06-19 13:55:03 EDT
A flaw was found in in Samba that could allow an authenticated attacker to
modify permissions on a file they should not have access to. Exploiting this
flaw is not trivial and a very strict set of conditions must first be met.

The conditions that need to be met to exploit this are as such:
1. You must have write access to the share
2. the 'dos filemodes' option needs to be set (not by default)
3. the random in the sbuf variable must look like a valid stat (we check it in
   the code called by can_write_to_file())

The upstream patch is here:
Comment 1 Vincent Danen 2009-06-25 08:18:04 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1888 to
the following vulnerability:

Name: CVE-2009-1888
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
Assigned: 20090602
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/security/CVE-2009-1888.html
Reference: BID:35472
Reference: URL: http://www.securityfocus.com/bid/35472
Reference: SECUNIA:35539
Reference: URL: http://secunia.com/advisories/35539
Reference: VUPEN:ADV-2009-1664
Reference: URL: http://www.vupen.com/english/advisories/2009/1664

The acl_group_override function in smbd/posix_acls.c in smbd in Samba
3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before
3.3.6, when dos filemode is enabled, allows remote attackers to modify
access control lists for files via vectors related to read access to
uninitialized memory.
Comment 2 Vincent Danen 2009-06-25 08:28:18 EDT
The Red Hat Security Response Team has rated this issue as having low security impact, a future samba package update may address this flaw in Red Hat Enterprise Linux 4 and 5. More information regarding issue severity can be found here:

Comment 8 errata-xmlrpc 2009-10-27 13:11:58 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html
Comment 9 errata-xmlrpc 2009-11-16 10:39:59 EST
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html

Note You need to log in before you can comment on or make changes to this bug.